apt 自动更新

一个基于unattended-upgrades的自动更新教程

起因

因项目需求,需要让设备自动下载安装更新。因为某些原因不能直接复用集群管理的相关组件。故查阅并整理了以下资料

准备工作

鉴于debian已经集成了现成的自动更新工具unattended-upgrades,故本文将基于这个工具进行更新相关配置
# sudo apt-get install unattended-upgrades
如果需要发送相关更新邮件,请确保mailx可以正常工作。
# sudo apt-get install sendmail
如果需要更详细的输出(如 changelog)
# sudo apt-get install apt-listchanges

配置

unattended-upgrades

ubuntu默认已经集成了unattended-upgrades的配置,其路径为** /etc/apt/apt.conf.d/50unattended-upgrades**
内容如下

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
//  "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
//  "${distro_id}:${distro_codename}-proposed";
//  "${distro_id}:${distro_codename}-backports";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

注释已经非常清晰,但实际上还有更多字段。下面将介绍每个字段的含义和配置,请根据实际需要进行配置

  • unattended_cache_valid_time
    apt-cache 更新时间。

    • 默认值 3600(秒)
  • unattended_origins_patterns
    自动更新会从这个匹配”origin”和”archive”来进行更新。
    想要当前软件源信息的话,请执行

    apt-cache policy

    其输出a=和o=即为要填的值,请使用”origin:archive”的格式填写
    除此之外,还有两个宏可以使用

    ${distro_id} –发行版名称如debian或ubuntu
    ${distro_codename} –代号名称如jessie or trusty

例子:
Unattended-Upgrade::Origins-Pattern {
“${distro_id}:${distro_codename}”;
“orgin:archive”;
“origin=*”;
};

  • unattended_package_blacklist
    自动更新软件黑名单,列入清单的软件将不会被更新

    • 默认值 []
  • unattended_upgrade_package_whitelist
    自动更新软件白名单,如果指定,只有白名单的软件将会被更新。

    • 默认值 []
  • unattended_autofix_interrupted_dpkg
    是否在安装后执行dpkg –force-confold –configure -a以确保每次可以正常更新。

    • 默认值 True
  • unattended_minimal_steps
    将更新拆分成若干小步骤,以便被如SIGUSR1、SIGINT等信号中断。

    • 默认值 False
  • unattended_install_on_shutdown
    是否在关机或者重启时进行安装。软件将只被下载等待关机或重启时进行安装,这意味着会拖慢系统关机或者重启速度。

    • 默认值 False
  • unattended_mail
    将安装信息发送到指定邮箱。如果该选项值为空或者不是email,不会发送邮件

    • 默认值 “”

例子:
Unattended-Upgrade::Mail “user@example.com”;

  • unattended_mail_only_on_error
    是否只发送错误信息。如果关闭该选项,每次更新都会发送邮件

    • 默认值 False
  • unattended_remove_unused_dependencies
    是否自动卸载无用的软件包

    • 默认值 False
  • uattended_remove_new_unused_dependencies
    是否自动卸载新增加的无用软件包

    • 默认值 True
  • unattended_automatic_reboot
    在安装后如果/var/run/reboot-required存在是否立即重启

    • 默认值 False
  • unattended_automatic_reboot_withusers
    在安装后如果用户已经登录是否进行重启

    • 默认值 False
  • unattended_keep_debs_after_install
    在安装后是否保留软件包(默认安装后自动删除)

    • 默认值 False
  • unattended_automatic_reboot_time
    自动更新后如果/var/run/reboot-required存在是否在指定时间重启(格式为HH:MM)

    • 默认值 now
  • unattended_ignore_apps_require_restart
    是否在更新时忽略那些需要重启的软件包

    • 默认值 False
  • unattended_verbose
    自定义输出级别

    • 取值范围:
      > 0: 不输出(默认值)
      > 1: progress report
      > 2: + command outputs
      > 3: + trace on
  • unattended_update_package_list
    自动执行apt-get update间隔天数

    • 默认值 1
  • unattended_download_upgradeable
    自动执行apt-get upgrade –download-only间隔天数

    • 默认值 0
  • unattended_autoclean_interval
    自动执行apt-get autoclean间隔天数

    • 默认值 7
  • unattended_clean_interval
    自动执行apt-get clean间隔天数

    • 默认值 0
  • unattended_random_sleep
    自动升级启动最大延迟时间

    • 默认值 1800(秒)
  • unattended_dpkg_options
    额外dpkg选项,如[“–force-confdef”], [“–force-confold”]

    • 默认值 []
  • unattended_syslogenable
    是否写入syslog

    • 默认值 False
  • unattended_syslogfacility
    syslog日志级别

    • 默认值 daemon
  • acquire_http_dl_limit
    http下载速度限制,如70(kb/s)

启用

编辑/etc/apt/apt.conf.d/20auto-upgrades,打开相关功能
APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Unattended-Upgrade “1”;

调试

#sudo anattended-upgrades --dry-run -d

自启

以上配置已经可以实现自启相关功能
如果需要高度定制,可以自定义定时任务,如
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
30 *    * * *   root    apt-get update >> /var/log/update
40 *    * * *   root    unattended-upgrade -d >>/var/log/unattend

将以上脚本拷贝到/etc/cron.d/即可实现30分钟更新源服务器信息,40分钟下载软件包

其他

默认日志会输出至/var/log/unattended-upgrades
当依赖不是由Origins-Pattern字段的源提供时,该软件包不会被安装


参考资料

https://github.com/jnv/ansible-role-unattended-upgrades
https://github.com/mvo5/unattended-upgrades
https://help.ubuntu.com/lts/serverguide/automatic-updates.html
https://wiki.debian.org/UnattendedUpgrades
https://help.ubuntu.com/community/AutomaticSecurityUpdates
https://www.richud.com/wiki/Ubuntu_Enable_Automatic_Updates_Unattended_Upgrades

说点什么

avatar
  Subscribe  
提醒
Optimized with PageSpeed Ninja